Two Factor Authentication

It seems like more and more I come across articles discussing Two Factor Authentication (2FA), so my curiosity got the best of me and I started reading about it.

Since I run several WordPress Blogs/Websites, my concern was to be sure to do my best to keep hackers from gaining access to my administration pages. When WordPress is installed, you get a default user called “Admin” and if you do not change that username then a hacker has half of the information they need to get into your site and do some damage! All they need to do is brute force the password and they are in. So, for any software or online account that defaults to a commonly known administrator username, the first thing you must do is login, create a new administrator account with a hard to guess username, test it to be sure it’s working and then delete the default “Admin” account completely.

Now that step one is complete, and you have a nice strong password, let’s discuss Two Factor Authentication. Basic password concept works off of something that you know. You know your username and password. 2FA works off of something you know (password) and something you have (cell phone, tablet…). After you enter your password a code is sent to your phone that you then type in to complete the login process. There is also an app called Google Authenticator which you can install on your phone and it generates the code for you without having to wait for the code to arrive in a text message.

Not all sites and software supports GA and in those cases you will have to wait for the text message.

For my WordPress sites I found that it was quite simple to install two plugins that enable 2FA for use with the Google Authenticator app.

The first plugin to install is Google Authenticator

It is easy to setup, you just have to enter the name of your WordPress Blog/Website, click the Show/Hide QR Code button and scan the code with your GA App on your phone. The only drawback to this plugin is it presents every user with a box for the GA code on the login screen. If you have users without administrative privileges, the presence of this box might be confusing to those users.

To solve that problem, the second plugin to install is Google Authenticator – Per User Prompt.

This will make the first login screen look normal, asking only for a username and password. If this user has setup 2FA on their account, the next screen will ask for the GA Code.

Get these plugins installed and the app on your phone and your site’s security just took a huge jump for the better.

Other sites also use some form of 2FA. On some you can use the GA app on your phone, and some sites have other ways of implementing 2FA. Here’s a great article detailing many popular sites that you can setup to use 2FA when you login: